Astra Wireless Documentation
  • Technical documentation
    • Astra Quanta⁣ Technical User Manual
      • Introduction⁣⁣⁣⁣⁣⁣⁣
        • Key Features⁣⁣⁣⁣⁣
        • Hardware Platform⁣⁣⁣⁣⁣
        • Power Supply⁣⁣⁣⁣⁣⁣
        • Lightning⁣ ⁣protection unit⁣⁣⁣⁣⁣
        • Packing list⁣⁣⁣⁣⁣⁣⁣
      • Planning considerations⁣⁣⁣⁣⁣⁣⁣
      • Link pre-configuration in the lab⁣⁣⁣⁣⁣
      • Installation
      • Operation & Administration⁣⁣⁣⁣⁣
        • Web GUI access⁣⁣⁣⁣
        • Dashboard⁣⁣⁣⁣
        • General settings⁣⁣⁣⁣⁣
        • Security settings⁣⁣⁣⁣
        • Radio settings⁣⁣⁣⁣
        • Network settings⁣⁣⁣⁣⁣
        • Switch Settings
        • SNMP settings⁣⁣⁣⁣
        • Spectrum Analyzer⁣⁣⁣⁣⁣
        • Antenna Alignment Tool⁣⁣⁣⁣⁣
        • Maintenance⁣⁣⁣
        • Instant DFS⁣⁣⁣⁣
        • Graphs⁣⁣⁣⁣
      • Troubleshooting⁣⁣⁣⁣⁣⁣⁣⁣⁣
    • Astra Evolution Technical User Manual
      • Introduction⁣⁣⁣⁣⁣⁣
        • Key Features⁣⁣⁣⁣⁣⁣⁣
        • Hardware Platform⁣⁣⁣⁣⁣⁣⁣⁣
        • Power supply⁣⁣⁣⁣⁣⁣⁣
        • Lightning protection unit⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣
        • Synchronization unit⁣⁣⁣⁣⁣⁣⁣
        • ⁣⁣⁣Packing List
      • Planning considerations⁣⁣⁣⁣⁣⁣⁣⁣⁣
      • Link Pre-configuration in the lab⁣⁣⁣⁣⁣⁣⁣⁣⁣
      • Installation⁣⁣⁣⁣⁣
      • Operation & Administration⁣⁣⁣⁣⁣⁣⁣
        • Web GUI access⁣⁣⁣⁣⁣⁣
        • Device Status⁣⁣
        • Basic Settings⁣⁣⁣⁣⁣
          • System Settings⁣⁣⁣⁣⁣⁣
          • Network Settings⁣⁣⁣⁣⁣⁣⁣
          • Link Settings⁣⁣⁣⁣⁣⁣
          • Static Links⁣⁣⁣⁣⁣
          • MAC Switch⁣ ⁣
          • IP Firewall
          • SNMP
          • QoS Options⁣⁣⁣⁣⁣⁣
          • Traffic Shaping⁣⁣⁣⁣⁣⁣⁣
          • Extra Commands⁣⁣⁣⁣⁣⁣
        • Maintenance
        • Spectrum Analyzer
        • DFS
        • Command Line
      • Troubleshooting⁣⁣⁣⁣⁣⁣
        • No access to the local unit⁣⁣⁣⁣⁣
        • The wireless link cannot be established⁣⁣⁣⁣⁣
        • The wireless link is established, but there is no access to the remote device⁣⁣⁣
        • The wireless link throughput is lower than expected⁣⁣⁣
        • Common errors in configuration⁣⁣⁣⁣
        • Emergence Repair Console⁣⁣
        • Unicast-flood detection⁣⁣⁣⁣
    • AstraFleX⁣ Technical User Manual
      • Getting started with AstraFleX User Manual
      • ⁣⁣IP-address format
      • General Purpose Command Set
      • Layer 2 commands set -PHY and MAC
        • ⁣prf ⁣command
        • ⁣⁣lag command (Link Aggregation )
        • ⁣⁣svi command
        • ⁣⁣ltest (radio link test)
        • macf command (addresses mapping)
        • ⁣⁣arp command (ARP protocol)
        • ⁣⁣switch command
        • ⁣⁣dfs (Dynamic Frequency Selection)
        • ⁣⁣lldp command
        • ⁣⁣mint command
        • ⁣⁣rfconfig command
      • ⁣⁣Layer 3 Command set – IP Networking
        • ⁣⁣Ifconfig command (interfaces configuration)
        • tun command (tunnels building)
        • qm command (QoS configuration)
        • ⁣⁣route command (static routes configuration)
        • ⁣⁣arip command
        • ⁣⁣OSPF command
        • ARDA (Aqua Router DAemon)
        • ⁣⁣netstat command (Network statistics)
        • ⁣⁣ipfw command (IP Firewall)
          • ⁣⁣PCAP-filters
        • ⁣⁣loadm command (load meter)
        • ⁣⁣rpcapd command (Remote Packet Capture)
        • ⁣⁣snmpd command (SNMP daemon)
        • ⁣⁣td command (Telnet daemon)
        • ⁣⁣nat command (Network Address Translation)
        • ⁣⁣trapd command (SNMP Traps support)
        • dhcpd command (DHCP Server)
        • ⁣⁣dhcpr command (DHCP relay)
        • dhcpc command (DHCP Client)
        • ⁣⁣vrrp command (VRRP server)
      • ⁣⁣Other commands
    • ⁣NEXT Monitoring System Technical User Manual
      • Description⁣ and operational principles
      • Installation
      • Configuration⁣⁣ ⁣and⁣ management⁣
        • Wireless⁣ ⁣⁣devices preparation
        • Accounts⁣ and user groups
        • Devices⁣ ⁣and links
        • Incident⁣ ⁣⁣management
        • System⁣⁣ ⁣configuration
      • Monitoring⁣ ⁣and management
        • R⁣ep⁣o⁣⁣rts
        • Devices
        • ⁣⁣Incidents
        • MAP
      • Technical support
  • White⁣ papers
    • MINT ⁣⁣⁣technology
    • Dynamic ⁣⁣Frequency ⁣⁣Selection
    • ⁣⁣RADIUS authentication for admin users
    • Security in Astra Wireless Devices
    • ⁣⁣Performance of the Astra Wireless devices
      • Astra Quanta
        • ⁣⁣Thr⁣⁣⁣oughpu⁣t⁣⁣⁣⁣⁣⁣
        • ⁣Packet ⁣⁣performanc⁣e⁣⁣⁣⁣⁣
      • Astra Evolution
        • H22 platform
          • Packet ⁣⁣⁣perfor⁣mance⁣⁣
          • Throug⁣hput⁣⁣⁣⁣⁣⁣
        • H16 platform
          • Packet⁣⁣ ⁣perfor⁣mance⁣⁣
          • ⁣⁣⁣⁣⁣⁣Throug⁣hput⁣⁣⁣⁣⁣⁣⁣
    • ⁣⁣⁣Link ⁣⁣⁣aggregation, balancing and redundancy
      • Astra Evolution
        • Redundancy ⁣⁣⁣with Failover option
        • Redundancy w/o aggregation and AstraMUX
        • Redundancy⁣⁣⁣ ⁣with aggregation and w/o AstraMUX
        • Redundancy ⁣⁣with AstraMUX
        • Full⁣ Duplex
      • Astra Quanta
        • Aggregation ⁣with redundancy ⁣based on⁣ LACP
        • Redundancy⁣⁣⁣ ⁣based ⁣on STP
        • ⁣Redundancy⁣⁣ based on⁣ OSPF
        • ⁣Redundancy with Evolution
    • Beamforming⁣ ⁣technology
    • ⁣⁣⁣Remote ⁣⁣⁣L2 management of Evolution via CLI
    • ⁣⁣⁣Remote ⁣⁣⁣L2 management of Evolution via Web GUI
    • Connectivity with mobile objects⁣⁣⁣⁣
      • Mining industry⁣⁣⁣
      • Railway transport⁣⁣⁣
      • Transport over the water⁣⁣⁣
      • Configuration example⁣⁣⁣
Powered by GitBook

Astra Wireless Technology © 2024. All rights reserved. For more information about available models, sales and technical support, please proceed to https://astrawireless.net/

On this page
  • Packet filtering rules
  • IP Firewall parameters
  1. Technical documentation
  2. Astra Evolution Technical User Manual
  3. Operation & Administration⁣⁣⁣⁣⁣⁣⁣
  4. Basic Settings⁣⁣⁣⁣⁣

IP Firewall

IP Firewall is a mechanism of filtering packets crossing an IP network node, according to different criteria. System administrator may define a set of incoming filters and a set of outgoing filters. The incoming filters determine which packets may be accepted by the node. The outgoing filters determine which packets may be forwarded by the node as a result of routing. Each filter describes a class of packets and defines how these packets should be processed (reject and log, accept, accept and log).

Packets can be filtered based on the following criteria:

  • Protocol (IP, TCP, UDP, ICMP, ARP)

  • Source address and/or destination address (and port numbers for TCP and UDP)

  • The inbound network interface

  • Whether the packet is a TCP/IP connection request (a packet attempting to initiate a TCP/IP session) or not

  • Whether the packet is a head, tail or intermediate IP fragment

  • Whether the packet has certain IP options defined or not

  • The MAC address of the destination station or of the source station.

The figure below illustrates how packets are processed by the filtering mechanism of the router:

There are two classes (sets) of filters - prohibiting (reject) and permitting (accept).

Furthermore, a filter may be applied to all inbound packets or only to packets arriving via a specific interface. Each received packet is checked against all filters in the order they are put in the set.

The first filter that matches the received packet determines how the packet are treated. If the filter is an accept filter, the packet is accepted, otherwise it is rejected. If the packet matches no filter in the set, or if the set is empty, the packet is accepted.

NOTE

The rejected packet are discarded without notification to the sender.

Packet filtering rules

Every packet entering a router passes through a set of input filters (blocking filters). The packets accepted by the input filter set are further processed by the IP layer of the router kernel. If the IP layer determines that the packet should go further and not landing here, it hands the packet to the set of outgoing filters (forwarding filters).

Information on packets rejected by any filter is displayed on the operator’s terminal and the packets themselves are discarded without any notice to their sender.

A packet, "advancing through" a set of filters, is checked by every filter in the set, from the first one till the end of the set, or until the first matching filter. The algorithm is the following:

  1. If the filter set is empty, the packet is accepted

  2. Otherwise, the first matching filter decides what to do with the packet. If it is an accept filter, the packet is accepted. If it’s a reject filter, the packet is rejected (discarded)

  3. If no filter has been found that matches the packet, it is accepted.

IP Firewall parameters

In the "IP Firewall parameters" section, you can view the IP Firewall rules that are already created; you can create a new rule for the current switch group by clicking the «Add Rule» button, or you can permanently remove the rule from the configuration by clicking the «Remove Rule» button.

Rule
Description

Action

Set the action for the rule: permit/deny/pass:

  • “Permit” - the packet is processed by the system (ignoring other firewall rules).

  • “Deny” - the packet is dropped.

  • “Pass” - the packet is passed to the next rule in the list and logged in the system log (only if the log check box is marked).

Channel

If you allocate a number for a logical channel that was not prior created in "Traffic Shaping" section, it has no effect in the rule configuration

For the indications how to create a logical channel, please refer to "Traffic Shaping" section below.

Priority

Set the priority for the packets going through the new rule of the filter:

  • “Up to” - used to increase the packet priority to the specified value only if the processed packet has a lower priority.

  • “Set” - used to assign a new priority regardless of the value already assigned to the packet.

Log

Enable/disable filter actions logging in the system log.

Direction

Set the input/output direction for applying the new rule:

  • “Input” - the rule is used to process inbound traffic.

  • “Output” - the rule is used to process outbound traffic and for post-routing packet filtering.

Interface

Set the interface for applying the new rule.

All the available interfaces are displayed in the dropdown list (physical and logical).

If “any” option is used, the rule is applied to all available interfaces.

Group

Set the Switch Group number for the applying of the new rule.

The Switch Group must be prior created.

Rule

Set the packet capture filter for IP firewall.

It is the same syntax called “PCAP expression”, as in the "Switching" section.

Refer to the filter expression syntax description above.

By clicking the «Validate» button, you can check the syntax in the expression in the “Rule” field.

The «Up/Down» arrows allow you to organize rules list. The rules are processed one by one in a top-down order.

PreviousMAC Switch⁣ ⁣NextSNMP

Last updated 1 year ago

Allocate a logical channel if there are logical channels prior created in "⁣" section (it is active only if the action "permit" is selected)

Traffic Shaping